VLAN MGMT

Similar Questions

• VM PINGA CHE UNDETERMINED VM

  Buon giorno a tutti,

  VI sewn by ask cortesemente supporto pole e ore ore dopo di troubleshooting not ho trovato soluzione al problema...

  problema molto molto strano presso una struttura con ho VSPHERE KIT BULK dotata di 2 nodi esxi 5.5 5.2up3, di seguito the quality:

  1 SERVER IBM con raid 10 brain locali, 1 NIC a 4 door in lacp static + vlan mgmt separata da vlan vm

  1 SERVER DELL con raid 5 brain locali, nic 2 a door in lacp 2 static + vlan mgmt separata da vlan vm

  I have SERVER ONWARDS CORRECTLY SENZA PROBLEMI, MA UNA NOTTE IL SERVER IBM if e SPENTO (likely assenza corrente e/o minimum batteria ups)

  Da what giorno, una VM avente Windows Server 2012 (not r2) con Exchange server 2010 sp1 (su ospitata IBM), non riesce a pingare della rete sotto stessa subnet (10.1.1.0/24) when ip e quest'ultima non fa pingare da some stampanti di rete (used cars by scanning to e-mail).

  "" Ho SC esxi IBM, controlled the vlan, controlled I vSwitch, controlled I portgroup... my non riesco a dove sta understand he problema... ovviamente anche the Altra VM che sta nello stesso HOST IBM ha lo stesso problema... non riesce a pingare "ip subnet price sopra della some..."

  Ho anche una foto della struttura hoist...

  VI want in pre-empted by the consulenza e attenzione.

  Hai, tried a nic of the scollegare dal port group della vm? attaccala knew another port group e dopo riportale known original quello.

  Check the arp delle macchine, dear che di table it mac address associato all'ip sia corretto. Da una riavviata agli switch.

  IO non utilizzerei connessioni lacp verso gli switch, gli esx gestiscono in Autonomía I blame e he equilibrado

  Saluti

• Redundancy - blade through an ANC and 10 GB Nic

  Hello

  We are about to introduce new blades with a single ANC (two ports) and 10 GB NIC Dell in our environment.

  The ANC will be used for the intellectual property and FCoE. Now, there is an internal discussion on the redundancy that this is just a NON per blade. I see this as a single point of failure. I think we should at least use the 10 GB NIC to separate a part of traffic (for example, management or vmotion).

  I'm curious, how do you see it or how did you design this for your environment?

  Thank you

  We run two dual ANC port, for a total of four connections converged 10 g. Each ANC has a connection to each switch fabric upstream.

  Each link is used for FCoE and also makes all the VLANS (MGMT, vMotion, NFS, invited). We run multicard vmotion and that each link is used for VMotion traffic.

  We tag traffic with COS values on the n1kv and let the fabric UCS penetration queuing to ensure each traffic class a part of the link, but not to limit it to only the part if the other types of traffic are not all of their allocation consumes.

  With only a single ANC won't FCoE storage redundancy, even if you can use your other 10G to create network redundancy.

• Validation of the design of the DMZ

  Here is a summary of my current client environment30 total of physical machines. I have a data center with 3 different VLANa DMZ public face to face a company intranet and DMZ.  Security is important in this environment, and we should not go through certification and accreditation audits.  I'm afraid that the security officer will push a physical separation for each network, as by running different ESX clusters for each.  It will be very costly and inefficient, especially since both DMZ networks have 3-4 VMs each.  I wouldn't run 4 VMs on a pair of DL380 G6s simply because they are in a different trust zone!

  I propose to create a vSwitch distributed with 4 NIC team, with each vlan segmented using tagging vlan and combining the three sites on the same physical host. We can also consider having the VLAN MGMT and VMotion on these same 4 natachasery.  I already read this document and he described in detail how this could be done.

  http://www.VMware.com/files/PDF/dmz_virtualization_vmware_infra_wp.PDF

  I think we're going to need to use a product like vShield zones, or a 3rd party firewall virtual (such as Altor) to transmit our audits and satisfy the security people.  We can get the physical network interface cards on the hosts so that will provide the best separation.  I guess in a perspective of network traffic, it might be a good practice at least put the console service and VMotion on separate natachasery.

  Where should we go with VLAN here, or advise you to use natachasery on the separate virtual switches for the separation?  Finally, my question boils down to this - is my solid design and are there any additional recommendations to the execution of the three zones of different trust in a single cluster?

  Thanks in advance!

  Hello

  IS always implies that you use VLAN within your physical network to DMZ and other areas of trust... So continue to use VLANs within the virtual world.  You can't really treat the vNetwork 'less' safe as the pNetwork because it is actually NOT. It's safer, "back of the box" from a perspective of layer 2 as the vNetwork is not sensitive to the many attacks of layer 2 while pNetwork 'out of the box' is sensitive.

  If you use VLAN in the physical world and 'trust' as your pSwitches stay or are configured correctly.

  So use VLAN in the vNetwork as well. VST works fine in this case.

  However, if your DMZ is PHYSICALLY separated from your other pNetworks then maintaining this separation to help IS the DMZ pSwitch. I wouldn't take the DMZ pSwitch plugged into the pSwitch directly upstream of the ESX host and then use IS/VST. This is not correct.

  In both cases when you combine demilitarized and DMZ not trust areas on the same cluster, you need to increase your vigilance to ensure that things do not move to where they do not belong.

  Even within the same group, I tend to keep my DMZ VMs on their own host or hosts to ensure their care does not impact on the rest of the environment or at least start like that and let DRS figure the rest. I also LUN separate VMs DMZ outweigh the problems of disk IO.

  However, if you need to be compliant, your auditors MAY require a physical separation at the moment as a PCI PCI has yet to turn off any other type of orientation. This decision is left to the listener actually. That probably means that you WILL Have to physically separate. Talk to your accounts, they are there to help.

  Best regards
  Edward L. Haletky VMware communities user moderator, VMware vExpert 2009

  Now available: url = http://www.astroarch.com/wiki/index.php/VMware_Virtual_Infrastructure_Security'VMware vSphere (TM) and Virtual Infrastructure Security' [/ URL]

  Also available url = http://www.astroarch.com/wiki/index.php/VMWare_ESX_Server_in_the_Enterprise"VMWare ESX Server in the enterprise" [url]

  Blogs: url = http://www.virtualizationpractice.comvirtualization practice [/ URL] | URL = http://www.astroarch.com/blog Blue Gears [url] | URL = http://itknowledgeexchange.techtarget.com/virtualization-pro/ TechTarget [url] | URL = http://www.networkworld.com/community/haletky Global network [url]

  Podcast: url = http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_Podcastvirtualization security Table round Podcast [url] | Twitter: url = http://www.twitter.com/TexiwillTexiwll [/ URL]

• Can't access ESXi host after VLAN for MGMT has been implemented?

  Hello

  We run ESXi 5.1 and recently to get our network

  Network administrator has received only 5 VLAN for MGMT vSwitch.  Since then, we are not able to ping on the ESXi host, or access in vCenter.

  He received different VLAN for vMotion and vSwitch and VM.

  Just would like to ask your advice what changes I need to do?

  Hello

  That doesn't sound right. You have 3 different vSwitches with 2 ports on each, so you can not the team together on the side of the switch.

  This would have been right if you had a vDS with 6 uplinks and various exchanges by the feature that you do not.

  You have need of the network is to set up 3 different teams one by vSwitch and to start with that you have the management must be in the access mode so that you can retrieve with your ESX box connectivity.

  Also the vMotion didn't need to be mode trunk you'll only of vMotion. Data (VM) must be master.

• VLAN voice N3048P and DHCP issues

  Hello

  I just received several switches for our N3048P and 2 x 4048 access layer - WE for our base layer. Are the N3048P VLT'd between two of 4048. There are 4 x N3048P of one on the other. The 4048 possess all gateways via VRRP.

  I have 802. 1 x works with my Windows client test, and I can get the phone (Cisco 7941) to acquire a DHCP address if I put it on a port "switchport mode access. However, if I change the port to a general port with vlan enabled voice and 802. 1 x, the phone does not have a DHCP address, but the PC attached to the phone Gets a DHCP address in the VLAN correct.

  I see CDP and LLDP messages exchanged via Wireshark, and it seems that the phone and the switch are to exchange the VLAN voice correctly.

  My question is, why the phone can't one address DHCP?

  Here's the relevant config of switch below. I know that some of the config can be duplicated for troubleshooting steps:

  VLAN 75
  the name 'Test '.
  output
  VLAN 76
  name "Test_Phones".
  output

  IP helper-address 1.1.1.3 dhcp
  IP helper-address 1.1.1.4 dhcp

  interface vlan 75
  IP 172.16.75.4 255.255.255.0
  IP helper 1.1.1.3
  IP helper 1.1.1.4
  output
  interface vlan 76
  IP 172.16.76.4 255.255.255.0
  IP helper 1.1.1.3
  IP helper 1.1.1.4

  AAA authentication local connection to "defaultList".
  radius of start-stop AAA accounting dot1x default
  control-dot1x system-auth
  radius AAA dot1x default authentication service
  AAA authorization network default RADIUS

  VLAN, VoIP

  source-ip 172.16.75.4 RADIUS server
  Server RADIUS 'key' key
  RADIUS-server host 1.1.1.1 auth
  primary
  name "rad1.
  use of 802. 1 x
  key 'key '.
  output
  RADIUS-server host 1.1.1.2 auth
  name "rad2.
  use of 802. 1 x
  key 'key '.
  output
  Server RADIUS acct 1.1.1.1 host
  name "rad1.
  output
  host server RADIUS acct 1.1.1.2
  name "rad2.
  output

  Gi2/0/1 interface

  Description '802. 1 x client port.
  spanning tree portfast
  spanning tree guard root
  switchport mode general
  switchport general allowed vlan add 75-76 the tag
  dot1x re-authentication
  dot1x quiet-period 5
  dot1x tx-period 5
  dot1x comments - vlan 20
  dot1x Informati-vlan 20
  LLDP transmit tlv ESCR-sys sys - cap
  LLDP transmit-mgmt
  notification of LLDP
  LLDP-med confignotification
  VLAN voice 76
  disable voice vlan auth
  output

  Thanks for any input you may have. I would like to know if there is any other information, I can provide.

  -Jason

  That ends up being the correct port configuration:

  Gi2/0/1 interface

  Description '802. 1 x client port.

  spanning tree portfast

  switchport mode general

  switchport General pvid 75

  VLAN allowed switchport General add 75

  switchport general allowed vlan add 76 tag

  dot1x port-control on mac

  dot1x re-authentication

  dot1x quiet-period 5

  dot1x timeout supp-timeout 15

  dot1x tx-period 5

  dot1x comments-vlan-deadline 15

  dot1x comments - vlan 20

  dot1x Informati-vlan 20

  VLAN voice 76

  disable voice vlan auth

  The most important line here is «the dot1x port-control on mac» I got 'auto control by port dot1x' configured, but it does not work as expected. In addition, defining the comments-vlan-period and supp-timeout were necessary. If the port was shot, the switch would not necessarily reauth port.

• Config port / VLAN on switch MXL

  I'm not a network engineer, but I try to set a port to my MXL switch to a VLAN that will route traffic on virtual machines on a local network of calculation.

  This is the port Te 0/52 on the back of the MXL and I am running ESXi on servers in my m1000e.  In fact, I have two MXLs in the tissue A of the m1000e configured with VLT via the interfaces of the FourtyGig.  This part has been implemented by people of Dell Tech Services, making the installation.

  Here's what looked like the config to start:

  dsa1 #show vlan

  Codes: *-Default VLAN - VLAN, GVRP, R - G remote control Port Mirroring VLAN, P - primary, C - community, I - isolated
  O Openflow
  Q: U - no identified, the T - tag
  x - unidentified Dot1x, X - Dot1x tag
  o - unidentified OpenFlow, O - OpenFlow tag
  G - GVRP tag, M - Vlan-stack, H - VSN tagged
  i unidentified intern, I - labeled internal, untagged, V v - VLT - VLT tag

  Ports Status Description Q NUM
  * 1 U active Po33 (0/33.37 Fo)
  U Po41 (Te 0/41-44)
  Te U 0/1-32
  115 active Mgmt T Po41(Te 0/41-44)
  V Po33 (0/33.37 Fo)
  Te T 0/1-32
  486 active VMGuest T Po41(Te 0/41-44)
  V Po33 (0/33.37 Fo)
  Te T 0/1-32
  Te U 0/49-50

  And I wanted to add VLAN 1000 to calculate, so I did the following:

  dsa1 #conf

  dsa1 (conf) #interface Te 0/52
  dsa1 (conf-if-you-0/52) #show config
  !
  interface TenGigabitEthernet 0/52
  no ip address
  MTU 12000
  hybrid portmode
  switchport
  FlowControl rx tx off
  spanning tree rstp edge port bpduguard stop-on-violation
  no downtime

  dsa1 vlan (conf) #interface 1000
  dsa1 (conf-if-vl-1000) #show config
  !
  interface Vlan 1000
  Description information
  name computer
  no ip address
  Tagged TenGigabitEthernet 0/1-32
  Unmarked TenGigabitEthernet 0/52
  no downtime

  VLAN now looks like:

  dsa1 #show vlan

  Codes: *-Default VLAN - VLAN, GVRP, R - G remote control Port Mirroring VLAN, P - primary, C - community, I - isolated
  O Openflow
  Q: U - no identified, the T - tag
  x - unidentified Dot1x, X - Dot1x tag
  o - unidentified OpenFlow, O - OpenFlow tag
  G - GVRP tag, M - Vlan-stack, H - VSN tagged
  i unidentified intern, I - labeled internal, untagged, V v - VLT - VLT tag

  Ports Status Description Q NUM
  * 1 U active Po33 (0/33.37 Fo)
  U Po41 (Te 0/41-44)
  Te U 0/1-32
  115 active Mgmt T Po41(Te 0/41-44)
  V Po33 (0/33.37 Fo)
  Te T 0/1-32
  486 active VMGuest T Po41(Te 0/41-44)
  V Po33 (0/33.37 Fo)
  Te T 0/1-32
  Te U 0/49-50
  1000 active Compute T Te 0/1-32
  Te U 0/52

  But I wanted to add THAT VLT Po33 tag to the new VLAN because there is in others, not because I really understand what it does.  In my view, it is used for load balancing?  If I label it with the command 'tag Po33' in the config of vlan, out with the status "T" instead of "V".

  Here are the details of the VLT:

  dsa1 #show vlt detail
  Local LAG Id counterpart LAG Id status Local Peer status Active VLAN
  ------------  -----------  ------------  -----------  -------------
  41 41 UP UP 1, 115, 486
  dsa1 #show brief vlt
  VLT area in brief
  ------------------
  Domain ID: 100
  Role: secondary
  Primary role: 4096
  ICL Link Status: to the top
  Status of heart rate: upward
  VLT Peer status: to the top
  The local unit ID: 0
  Version: 6 (4)
  Local system MAC address: f8:b1:56:09:70:b1
  MAC address of the remote system: f8:b1:56:09:70:fd
  Configured the system MAC address: 00:01:00:01:00:01
  Version of the remote system: 6 (4)
  Restore delay timer: 90 seconds
  Delay-restore Abort threshold: 60 seconds
  Routing peer: disabled
  By the peer-routing-Timeout timer: 0 seconds
  Multicast peer-routing timeout: 150 seconds

  So my questions are, I'm on the right track?  It will do what I want it to do is send traffic on port 0/52 Te which is labeled in ESXi with 1000 VLAN?  Should I worry the VLT marking stuff and if yes, how should I do the VLT marking rather than normal marking?

  The connection only 1 port of MXL 1 to a device, this device is considered a switch/host an orphan. A VLT connection will have 1 port each MXL placed in a port channel and connected to a device.

  Here is a good article that covers the VLT in use with different Topologies.

  http://Dell.to/1wfDl3n

  And the User Guide is a good source to have as well.

  http://Dell.to/1Hy70bb

• Confused about the notion of VLAN

  I'm confused about the VLAN. I thought that the notion of VLAN was this computer on different VLANS were not suppose to be able to communicate with each other. I am setting up a 6248 and for me to get DHCP to work, I need to enable ip Routing. When I turn the routing ip, all computers on different VLANS are able to ping each other. Is - it the way it was suppose to work, or am I missing something?
  MGMT is on vlan 4093
  DHCP is on VLAN 100 trunk e34 10.10.1.1
  Host 1 is on VLAN 200 trunk e34 10.10.2.1
  Host 2 is on VLAN 300 trunk e34 10.10.3.1
  active IP routing
  
  

• Questions of VLAN and configuration for Cisco AIR-CT2504-25-K9 Controller

  Hello

  It's my first time thanks to the Cisco wireless solutions, so I was hopping someone could help me with the following:

  We just bought the AIR-CT2504-25-K9 controller with some points of access for the AIR-CAP1702I-E-K9.

  The network is as follows:

  Peripheral layer 3 (managed by third parties): it's on the domain network. (VLAN by default, 1 - unidentified)

  ADSL router - it's the network without comment thread. (Default Vlan 4 - tagged).

  VOIP: VLAN 5.

  Both fittings go into a switch Cisco SG500 52 (Layer 2). There is a port to shared resources on the switch SG500 with VLAN 1 (Tagged) and VLAN 4 (with tag). The WLAN controller is plugged into this port trunking.

  The data and management network are in the same subnet and on the same VLAN (1).

  I used the wizard on the controller setup.

  There are three interfaces:

  management VLAN ID 1 IP 192.168.1.2 Port 1 (configured with a gateway domain network, DHCP, etc.).

  VLAN wireless identifier 4 IP 192.168.5.1 Port 1 comments (configured with modem router ADSL, DHCP, etc.).

  Virtual IP 192.0.2.1

  Proxy DHCP active overall.

  There are two wlan networks:

  (1) area - management Interface - SSID abc.

  (2) comments - comments Wireless Interface - SSID xyz (the wizard put to management, but I changed it to the wireless).

  Are the AP connected to another SG500 switch which is shared resources to the switch with the controller.

  Ports of the APs are connected to have only 1 VLAN unidentified. They don't have 4 VLAN Tag or not identified. However, everything seems to work as expected.

  When I join the guest network (SSID xyz), I get an IP address from the router ADSL and all Internet traffic goes through him. When I connect to the domain network (SSID abc), I get an IP address from the DHCP in Windows Server and all traffic goes through the device of layer 3 (I checked the public IP address in my browser). I can't ping anything from one network to the other.

  My questions are the following:

  (1) how the guest network traffic (VLAN 4) headed the APs controller when they are connected to the ports on VLAN1? Is it because the traffic is encapsulated?

  (2) is set up correctly? After you configure the controller, I saw a note in the forums, this State I can simply enter 0 for the management of VLANS to let it not identified. However, in my case, I kept it as 1, which is the same as the switches and then the tag VLAN on the switch. In addition, the set Wizard wlan of comments to use the management interface but I changed it to use the comments interface.

  (3) when I connect to the APs of the controller, I see several options that can be configured manually. Is it necessary for this? For example, there is an option of data encryption.

  Thank you

  A

  Hello

  (1) how the guest network traffic (VLAN 4) headed the APs controller when they are connected to the ports on VLAN1? Is it because the traffic is encapsulated?

  Yes, I'm with CAPWAP:

  More information: http://lets-start-to-learn.blogspot.de/2014/08/cisco-wireless-understand...

  (2) is set up correctly? After you configure the controller, I saw a note in the forums, this State I can simply enter 0 for the management of VLANS to let it not identified. However, in my case, I kept it as 1, which is the same as the switches and then the tag VLAN on the switch. In addition, the set Wizard wlan of comments to use the management interface but I changed it to use the comments interface.

  If you want that mgmt interface must be unmarked and then put 0 otherwise you can use vlan 1.

  I do not have what is configured under mgmt and comments interface, but according to the name I'll say yes, you must set the comments under comments wlan interface.

  (3) when I connect to the APs of the controller, I see several options that can be configured manually. Is it necessary for this? For example, there is an option of data encryption.

  Yes, there are many things that you can configure, but I'll leave most of the default of things unless you really need to change!

  The following best practices: http://www.borderlessccie.net/?p=270

  Concerning

  Remember messages useful rates

• System vlan on Nexus 1000v

  Hi all

  I understand that this vlan system allows the traffic flow for the vlan was VSM is not accessible, and vlan system should NOT be normal machine virtual traffic vlan. In my deployment of a normal vSphere environment with N1kv, I'll put these VLANS as system vlan: ESXi Mgmt N1kv mgmt, control & package, VMotion, storage over IP.

  I put the VLANs as system vlan on the uplink port profiles and indivdual port profiles for each VIRTUAL local area network. Correct me if that's wrong.

  What should be system vlan, or what those who shouldn't be system vlan? VMotion vlan? What are the disadvantages to specify all the VLANS as system vlan? Is it not better because even if VSM fell for a reason, MEC will still send traffic for all virtual machines?

  Thank you

  Ming

  Ming,

  Your understanding of the system VLAN is not totally accurate.  All them VLAN will be forwarding the case where your VSM is not accessible.  Each MEC module will continue to pass system and non-vlan traffic if the VSM is offline.  EACH MEC will keep its current programming, but will not accept any changes until the VSM is back online.  System VLAN behaves differently that they will always be in a State of transfer.  VLAN systems will transmit the traffic even before that a MEC is programmed by VSM.  That is why some system profiles demand them - IE. Control/package etc.  These VLANs must be transferred in ORDER for the MEC to talk to the VSM.

  As for your list of "what should be system VLAN"-remove VMotion.  There is no reason that your VMotion network should be defined as a system of VIRTUAL LAN.  All the others are correct.

  Also remember that you can ONLY define a VLAN on the port profile an uplink.   So if you use an uplink for 'system' type traffic and the other for traffic of type "Data VM", you would have just any single VLAN 'authorized' on an uplink - not both.  Allowing them the time will cause problems.   The only case, you have to keep in mind is that for a "system vlan" to apply, it must be defined on the Port of vEthernet profile and a profile of Uplink Port.

  E.g.

  Let's say my Service Console uses VLAN 10 and my VMs also use the VLAN 10 for their data traffic.  (Bad design, but just to illustrate a point).

  VLAN in "two places" seen set the system would you allow to treat ONLY the traffic of your "Service Console" as a traffic system and always apply security programming for your traffic "VLAN Data.  After a reboot, you Console of Service traffic would be routed immediately, but your VM data would not be until the MEC had pulled the programming of the VSM.

  profile port vethernet dvs_ServiceConsole type
  VMware-port group
  switchport mode access
  switchport access vlan 10
  no downtime
  System vlan 10<== defined="" as="" system="">
  enabled state

  profile port vethernet dvs_VM_Data_VLAN10 type
  VMware-port group
  switchport mode access

  switchport access vlan 10<== no="" system="">
  no downtime
  enabled state

  profile system uplink ethernet port type
  VMware-port group
  switchport mode trunk
  switchport trunk allowed vlan 10, 3001-3002
  Active Channel-Group auto mode
  no downtime
  System vlan 10, 3001-3002<== system="" vlan="" 10="">
  enabled state

  Hope this clears your understanding.

  Kind regards

  Robert

• Configuration of VLAN (management) SG200 series

  Hello.

  Can someone help me configure (a normally very easy thing..) on a Cisco SG200-08 switch?

  Please see attachment (sg200 - 1.jpg) for detailed information. ... Sorry in advance for my bad writing :)

  My problem is:

  I want to manage the switch via the trunkport (port1) on the SG200 via the MGMT on VLAN30 pc and have everything (7ports) free other VIRTUAL networks.

  Please see the attached screenshots for my current config.
  This config works (I can ping the pc mgmt sg200), but I can't change the VLAN for port2. (it is said that I lose the management functionality)

  Any ideas?

  Hi Frank,.

  Indeed, you'd have this error message and no matter if this VLAN 30 is the default of the switch or just the IPv4 interface is on this VLAN, there should always be a port (outside trunk) to keep the vlan 30 untagged and PVID.

  I guess you want to use all ports up but unfortunately it's like switch was design.

  Kind regards

  Aleksandra

• Configuration of Vlan SG300-20 for the desktop and server ESXi

  Hello

  I'm fairly new to network so please, be gentle.  I'm setting up a number of VLANs for my lab at home.

  I recently moved jobs and took an Oracle Apps of the Middleware & role has therefore need to start picking up the Apache, e-Business Suite, etc. of the load balancers so need to segragate my network to allow different configurations, I want to install in my lab ESXi.

  My setup is detailed below:-

  I have a router of dryatek 2860n which is my entry for the installation of the internet on IP 192.168.1.1

  My Cisco switch has been set to 192.168.1.2 and the installer to use the 3 layer.

  I have a number of PCs connected to my switch I want to use to administer my ESXi server and have access to the different VLANS.

  VIRTUAL LANs, I need are the following

  VLAN 1	192.168.1.x/24				By default / Internet Uplink
  VLAN 12	10.0.12.x/24				Workstations
  VLAN 13	10.0.13.x/24				Server management interface
  VLAN 14	10.0.14.x/24				Public Interface Server
  VLAN 15	10.0.15.x/24				Private server interface
  VLAN 20	10.0.20.x/24				Storage

  My esxi server has two network interfaces that will have traffic MGMT, Public and private configured as virtual interfaces in ESXi and one that runs my traffic of storage/nfs mounts on a QNAP NAS, I want to make it work on my network

  Here is how I have the ports

  A Port VLAN membership
  G1	VLAN1
  G13 - 20	VLAN 12		Need to access the VLAN 1, 13, 14, 15, 20
  G9	VLAN 13, 14, 15
  G10	VLAN 20
  G7 - 8	VLAN 20		LAG configured to QNAP NAS

  G13-20 are my workstations that need to be on VLAN 12, but must also be able to connect to 13, 14, 15, 20, SSH, RDP, NFS

  G9 is the Interface of MGMT of ESXi who need to have traffic on VLAN 13, 14, 15

  G10 is ESXi storage Interface that needs to access the VLAN 20 only

  G7/g8 are connect to QNAP that ideally I want to configure as a LAG.   When I get more interfaces in my ESXi Server I'll finally the team to match.

  I set up an ip interface in my CISCO switch to 10.0.12.1 as gateway to my workstations and created a static route in my router to allow traffic to the switch.  This does not quite yet.

  I also installed a default route to 0.0.0.0

  I followed a number of guides, but struggling to get my head around concepts and how to achieve the above configuration.

  Ideally, I want to configure this through the CLI as Ive had no end of problems with the web interface of the Cisco switch.

  I believe need g9 of trunk, and other ACCESS is it exact.

  How the workstatations to access the other VLAN?

  Any help would be appreciated

  Thank you

  Paul

  Hi Paul, to break it down a little.

  Host A connects to port 13.

  config t

  int gi0/13

  switchport mode access

  switchport access vlan 12

  ESXI connects to port 9

  config t

  int gi0/9

  switchport mode trunk

  switchport trunk allowed vlan add 13-15 (keep in mind this vlan 1 is unmarked here and is the IP of your server interface)

  This translates

  ESXI = 192.168.1.x 24 gateway 192.168.1.2

  interface vlan 1

  IP 192.168.1.2 255.255.255.0

  no ip address dhcp

  Host A = 10.0.12.x 24 10.0.12.1

  interface vlan 12

  name of the workstations

  10.0.12.1 IP address 255.255.255.0

  With this basic host configuration at shall communicate to ESXI (no other config on the switch)

  If please try to get the connectivity of base first, then can work on the roads and DHCP.

  -Tom
  Please mark replied messages useful

• Multiple SSIDs\VLANs, DHCP and wireless

  Hello

  Check out my last post in a different discussion.  I reported it as answered, my first question has been answered, but I am still confused of DHCP is working.  I work with a config along the lines of:

  I work with a WLC 5508.

  He'll be there 2 separate WLAN on their own VIRTUAL local area network.

  The WLC connects to the Southwest over a trunk link, which seems logical.

  However, my question is in connection with the TOUR to the switch... should be a trunk as well? (one answer, needs to be an access port)

  So my next question is:

  How clients in their ssid / VLAN respective will receive an IP via DHCP to it to the switch port that connects the TOWER on a VLAN?

  Here are the basics of my config.

  Hatch 192.168.1.55 Mgmt iface and 56

  VLAN 9 is going to be for tours only (network 192.168.9.0/24)

  VLAN 6 is for example personal WLAN SSID is CORP-WLAN (network 192.168.6.0/24)

  8 VLAN for the guests, example SSID is GUEST-WLAN (network 192.168.8.0/24)

  I have DHCP pools configured for each network, and 43 is set for the APs over the nearest SW to the WLC (the SW there rising directly)

  I have a dynamic port configured on the WLC, and two wireless LANs are associated with the port and have received their VLAN respective.

  Allows to say that I am an AP, I have tension, and given that my SW port is VLAN 9, my broadcasts DHCP is heard by the SW, and he assigned me an IP of the 192.168.9.0 pool.  It's all great.  Now, I have a client that tries to associate to my Guest-WLAN SSID, and is now applying an IP address... How can I assign an IP address from the correct pool?

  Maybe I'm too complicate it a bit...?

  In addition, lets say I have 3 pools DHCP configured network 192.168.6.0 24, 8.0, 9.0 on my way... How will the switch knows what pool to match with and VLAN individual?  I should know this, but I feel forgetful... SW needs to have an interface vlan is configured with an IP address that falls within a configured pool?

  Give me a sense, that is a good question?

  Bill

  There are several ways to solve your problem, it depends on your expectations. I guess that you will travel with the value default Local AP Mode.

  By default, it is important to note that customer traffic to a point of integrated access to the WLC, and then it comes out of the WLC on the VIRTUAL LAN that you specified. This is why the AP can be a switchport Mode access and could reside in a vlan / entirely different subnet of your wireless users.

  So assuming that it is the model that you want to track, a high level overview of the configuration would be as follows:

  Suppose you want client WLAN 1 VLAN 11 and WLAN 2 VLAN 12.  Assuming that the WLC management interface is VLAN 1.

  You simply need to create a dynamic Interface in vlan 11 and vlan 12 with the appropriate addresses. Then you would set up WLAN 1 out Interface VLAN 11 and 2 WLAN as output interface 12 VLANS.

  Now when a customer joins 1 WLAN, its traffic will be the tunnel from AP to the WLC via CAPWAP and going to the controller on VLAN 11. The client will now effectively be in VLAN 11.

  Who is?

• mgmt vCenter/vCSA and non routable network

  How are they managing get you all vCSA connected non-routable management network without burdening the network mgmt vCSA? I have the VLAN for all networks (mgmt, vmotion, storage) and network of the vm on VLAN 0. When install vCSA you use a routable IP address, but after that, I have to add the network mgmt to the vCSA in order so that it connects to the host, but it does not seem like the right way. vCSA with extra vnic is not supported.

  How do you manage this?

  Well, you need to sort out why one needs a management not routed network. In case it is a safety requirement, you would probably violate it by multiple your vcenter.

  In order to manage your vCenter inventory you would be obliged to get in this isolated NET or create a safe / trust / hardened machine multi-homed "jumpbox" that could be used for management activities.

• Design - Rack Edge or Edge VLAN question

  I have Cisco UCS and Nexus 7 k gear I design, so I use this design guide:

  https://www.VMware.com/files/PDF/products/NSX/VMware-NSX-on-Cisco-n7kucs-design-guide.PDF

  However, it is not totally clear on how the physical to virtual connections must be deployed.  Looking at this guide (page 11), it seems that 5 VLAN must be shared resources to each host (including the VLAN edge), and it would negate the need for a separate group of edge (or grid).  However, the same guide also speaks of a cluster of mgmt and edge and there is even a diagram (pg 13) that shows what looks like to me a host of edge.  Since both the mgmt, edge and compute clusters all share the same distributed switch, it seems that this design is indicating that there is no need for a separate edge cluster.   Does this sound right to you?

  Then the document proposed the edge VLAN to shared resources for all hosts, the VLAN Edge can simply be ignored and remain stagnant on the hosts of the calculation, thus linking the only living on the edge/edge management cluster VLAN edge elements.  He accomplishes the goal of the cluster Edge.  The edge vs no decision dashboard isn't so much on this VLAN are connected, but more info on how you plan to implement NSX and its components.

  Brad Hedlund did a good job, talking through the design, specific to the N7K decisions, who do not do in the Cisco Design here document and help you decide if needed/wanted a cluster of edge: http://bradhedlund.com/2015/02/06/going-over-the-edge-with-your-vmware-nsx-and-cisco-nexus/